CONFIDE—CASE STUDY

THE CHALLENGE

Examine full client-side and server-side code base for vulnerabilities, recommend remediation work for any flaws found and re-test to confirm app is vulnerability-free

Consumers send tens of billions of instant messages each day globally, using many different applications. But the world is waking up to the risks involved. A permanent digital record of your messages can potentially be used to harm you—either by malicious third parties or even the intended recipient. New York-based Confide Inc. developed its confidential messenger service, Confide, with the goal of creating a global and ubiquitous messenger that allowed people to communicate digitally with the same level of privacy and security as the spoken word.

Confide messages are end-to-end encrypted, but they also self-destruct and are screenshot protected so they can't be forwarded, printed or archived. And security doesn't stop at message encryption: "When you create a confidential messenger, you can't allow it to be insecure and exposed to attacks," says Confide CTO Rich Hong. "We have always put a strong emphasis on the privacy and security of our customers, so Confide pays attention not just to securing users' conversations, but also to securing the product itself. As we continued to grow, we knew that doing an external security assessment would be an important way to further strengthen the security of our products and provide our customers with even more confidence in our service. That's why we decided to have application security experts thoroughly review our entire code base—both client-side and server-side—to give us and our customers additional assurance that our apps are safe."

THE SOLUTION

Positive Technologies Application Security Services

The Positive Technologies application security assessment team spent six weeks working along-side Confide's own software engineers to conduct a deep-dive review of the company's entire software stack. A range of proprietary and publicly-available tools were used to conduct black-box, gray-box, and white-box testing.

The security assessment reviewed multiple areas for potential design and implementation flaws, including authentication, authorization, remote code execution, and more. The team also searched for weaknesses that might lead to the disclosure of sensitive information, as well as system logic errors and misconfiguration of both servers and applications. No critical or high severity issues were found, but a small number of medium and low severity vulnera-bilities were identified.

"Working with Positive Technologies was a dynamic and productive experience," confirms Mr. Hong. "Our team received a weekly report on the vulnerabilities found and the recommenda-tions for remediation. This enabled us to get straight to work fixing weaknesses as soon as they were uncovered. After the assessments and remediation work had concluded, Positive Technol-ogies conducted follow-up validation testing to confirm we had properly addressed all the issues identified."

COMPANY PROFILE

­ Industry: Software

­ Location: New York, USA

­ Ownership: Privately owned

­ Key Investors: WGI, GV, First Round Capital, SV Angel, Lakestar, Marker, CrunchFund, LererHippeau

­ Service Offering: Confidential messaging applications

­ Supported Platforms: iOS, Android, macOS, and Windows

­ Available in: 15 languages; 200+ countries

CONFIDENTIAL MESSAGING PROVIDER CONFIDE INC. BOOSTS CONSUMER CONFIDENCE WITH APPLICATION SECURITY SERVICES FROM POSITIVE TECHNOLOGIES

CONFIDE—CASE STUDY

Confide_CS_A4.ENG.0004.04

HIGHLIGHTS

­ Strengthened customer confidence: provided Confide with independent verification its app was free of vulnerabilities

­ Surpassed typical AppSec standards: detailed review covered entirecode base, including server-side elements

­ Explored full range of attack vectors: white-box, black-box & gray-box testing used to simulate both internal and external attacks

­ Accelerated remediation process: collaborative approach saw vulnerabilities fixed in parallel with ongoing review

THE BENEFITS

Enhanced consumer confidence levels with independent verification that the code base was free from any high, medium, or low severity vulnerabilities.

"We were very pleased that Positive Technologies, one of the world's leading IT security research companies, didn't find any critical flaws in our applications," says Mr. Hong. "The structure of the engagement also allowed us to resolve the small number of medium and low severity vulnera-bilities quickly and efficiently."

"We were really happy with the assessment work and how the project was conducted. We remain committed to continuously improving the security of our products and services and we look forward to working with the Positive Technologies team again in the future."

info@ptsecurity.com ptsecurity.com

About Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community. Learn more about Positive Technologies at ptsecurity.com.

© 2017 Positive Technologies. Positive Technologies and the Positive Technologies logo are trademarks or registered trademarks of Positive Technologies. All other trademarks mentioned herein are the property of their respective owners.